Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Facebook Fined $11.3M for Privacy Violations

Italy’s regulator found the social giant guilty of misleading consumers as to what it does with their data.

Facebook faces its second privacy-related fine in Europe, with the most recent action taken by the Italian Competition Authority. On Friday, Facebook was hit with two fines, totaling 10 million Euros (about $11.3 million), for violating Italy’s Consumer Code.

The Italian Competition Authority (ICA) found that Facebook violated several articles of the statute by misleading consumers about how their data would be used. These include Articles 21 and 22. The ICA found that Facebook doesn’t explicitly inform people when they register that their information will be used for commercial purposes.

“Facebook emphasizes the free nature of the service but not the commercial objectives that underlie the provision of the social network service, thus inducing users into making a transactional decision that they would not have taken otherwise,” the ICA said in a notice on Friday. “The information provided is in fact general and incomplete and does not adequately make a distinction between the use of data to personalize the service (in order to connect ‘consumer’ users with each other) and the use of data to carry out advertising campaigns aimed at specific targets.”

The authority also found that Facebook, in violation of Articles 24 and 25, actively sends consumer data to third-party websites and apps for commercial purposes, by default and without express consent. Additionally, when users decide to limit their consent, they are faced with significant restrictions on the use of the social network. Inducing users to “maintain the pre-selected choice” represents “undue influence,” according to the ICA, and prevents users from being able to make a free, informed choice.

“In the wake of European data privacy laws that were fairly generic in nature, rulings such as this one will provide vital precedent and context to companies and hopefully push them to adhere to data privacy both in practice and in spirit,” Abhishek Iyer, technical marketing manager at Demisto, told Threatpost. He added, “In the future, regulators should move to buttress existing law frameworks with more specific and detailed requirements of what information companies should make explicit to their users. Users should also be allowed to revoke the sharing of their data at any time and should be aware of any third parties that their data is being shared with. The more transparent this information is, the less the chance of ‘dark pattern’ user experiences that bank on users not being aware of where their data is going.”

Second European Fine

The action is the second fine that the social network has faced across the pond. In October, The UK fined Facebook $645,000 over Cambridge Analytica’s data harvesting practices, which exploited the data of 87 million users.

Both sets of fines represent a gnat bite for the tech giant, which generated $5.1 billion in net profit in the second quarter of the year. However, the amounts reflect the fact that the investigations were opened before the EU’s General Data Protection Regulation (GDPR) went into effect; that happened in May.

“But for the statutory limitation on the amount of the monetary penalty, it would have been reasonable and proportionate to impose a higher penalty,” noted the UK’s Information Commissioner’s Office (ICO).

It’s safe to say that Facebook has thus far dodged a bullet: The GDPR stipulates a maximum fine of 4 percent of annual global turnover (approximately $1.6 billion in Facebook’s case). However, the increased scrutiny is notable in and of itself.

“2018 has been the year that privacy hit a sore spot with consumers, and the various internet properties that monetize data no longer have a free reign,” David Ginsburg, vice president of marketing at Cavirin, told Threatpost. “Though the EU has taken the lead with GDPR and other regulations such as Italy’s Consumer Code, the U.S. is following suit with regulations such as the California Consumer Privacy Act and parallel regulations on the national level expected in 2019. The specific description of Facebook’s breaches is very telling and should be closely read by others operating in the EU as to their own exposure.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.